Presentation is loading. Please wait.

Presentation is loading. Please wait.

FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.

Published byCollin Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE."— Presentation transcript:

1 FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE

2 Mikael Le Gall Security Sales Engineer EMEA, Rapid7 Application Security Testing, Application Development, Vulnerability Management, Incident Detection & Response French ✔ English ✔ Arabic ✖

3 APPLICATION SECURITY IS A KEY CHALLENGE

4 Web applications are a primary target Accounted for up to 40% of confirmed breaches in some industries. 95% of confirmed web app breaches were financially motivated. The 2016 Verizon Data Breach Investigation Report 4 40% 95%

5 So, why is application security so hard? 5 Are in constant evolution AttackersAttacksApplications

6 Evolving attackers 6 Hacktivists State Sponsored Cyber Criminals Insider Threat

7 Evolving Attacks OWASP Top 10 7

8 OK GET IT… I NEED TO SCAN MY APPLICATIONS

9 Plenty of free attacking tools SQLMap w3af Burp Suite Skipfish Grendel-Scan ZAP Proxy etc… All great exploit tools, good way to get started… but they can only do so much

10 Attacking is the easy part

11 You can’t attack what you can’t see

12 1990 1995200020052010 2015 HTML Static Pages CGI Scripted Pages Web 2.0 (AJAX) Web 3.0 & Mobile AJAX, Flash/Flex, Silverlight JSON, REST, AMF, SOAP Application Frameworks (SOA’s) 2020 Javascript Evolving Application complexity

13 Summary 13 Economically motivated attackers use sophisticated tools Sophisticated applications confuse some automated detection Attacks are changing OWASP Top 10 is not enough AttackersAttacksApplications

14 DEVSECOPS

15 Different teams, different goals… 15

16 What is DevOps? DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.

17 DevSecOps “Everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale It does not have to be like this Image : Pete Cheslock at #DevOpsDaysAustin.

18 Problems with Security at the end 18 1.Increased costs 2.Delayed releases

19 30X 15X 10X 5X 2X Find and fix security issues early in the SDLC! After an application is released into Production, it costs 30x more than during design. Cost Source: NIST Production System testing Integration/ component testing CodingRequirements

20 Development Cycle based on Continuous Integration

21 Embed Scanning Into the Development Cycle

22 VIRTUAL PATCHING

23 How long does it take for web vulns to get fixed? From: Whitehat’s 2012 Report

24 Challenges around protecting the applications WAFs are a critical component of your Appsec strategy Efficiency ratio : # Attacks Blocked / # False Positives Challenges ‒ Applications are changing to quickly to keep up (technologies and pace of releases) ‒ Lack of time/expertise/resource to manage the WAF ‒ FP are paralysing (WAF used in non blocking)

25 Leverage the result of a scan to automate rule creation Virtual patching 25 WAF Effective custom virtual patch WAF knowledge + App knowledge Patch WAF Ineffective virtual patch Turn on default WAF rule Patch

26 Accelerate your remediation : the defensive workflow Run scan and import discovered vulnerabilities into rule creation module Select vulns to protect against Generate filters & upload them into WAF\IPS Run QuickScan to verify effectiveness of rules

27 Always measure efficiency!

28 THANK YOU mikael_legall@rapid7.com

Download ppt "FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE."

Similar presentations

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.

1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.

Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.

Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.
OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”

OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
A Scanner Sparkly Web Application Proxy Editors and Scanners.

A Scanner Sparkly Web Application Proxy Editors and Scanners.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security and Privacy Services Cloud computing point of view October 2012.

Security and Privacy Services Cloud computing point of view October 2012.

Similar presentations

Ads by Google